Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade github.com/go-kit/kit package to fix CVE-2022-24450 vulnerability #5121

Merged
merged 2 commits into from
Dec 13, 2022
Merged

Upgrade github.com/go-kit/kit package to fix CVE-2022-24450 vulnerability #5121

merged 2 commits into from
Dec 13, 2022

Conversation

PrintlnPan
Copy link
Contributor

@PrintlnPan PrintlnPan commented Dec 12, 2022

Now beego used github.com/go-kit/kit v0.10.0 version is contained a vulnerabilities CVE-2022-24450
This PR is to upgrade github.com/go-kit/kit package to the newest version to fix it.

NOTE:
github.com/go-kit/kit's last release version v0.12.0 still contains the vulnerability, but the master branch has fixed it (go-kit/kit#1237), so I use go get -v -u github.com/go-kit/kit@master command to upgrade it. (The v0.12.0 is released in 2021)

@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@PlexPt
Copy link

PlexPt commented Dec 12, 2022

Thanks for creating this pull request! I definitely see the value in having this feature and can understand why you would need it as well. Let's see if we can get some feedback from the rest of the team and work towards getting this implemented. Great work!

@PlexPt
Copy link

PlexPt commented Dec 12, 2022

Dear A7103,

Thank you so much for creating this pull request to upgrade the github.com/go-kit/kit package. Your efforts to address the vulnerabilities in the previous version are greatly appreciated. We are grateful for your hard work and dedication to improving the security of our project.

Thank you again for your contribution!

@codecov-commenter
Copy link

Codecov Report

Merging #5121 (ef09d4b) into develop (f5d84df) will decrease coverage by 0.06%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop    #5121      +/-   ##
===========================================
- Coverage    54.83%   54.76%   -0.07%     
===========================================
  Files          246      246              
  Lines        21896    21896              
===========================================
- Hits         12006    11991      -15     
- Misses        8938     8949      +11     
- Partials       952      956       +4     
Impacted Files Coverage Δ
client/httplib/filter/prometheus/filter.go 62.50% <0.00%> (-37.50%) ⬇️
server/web/session/sess_mem.go 31.68% <0.00%> (-1.00%) ⬇️
core/logs/file.go 66.07% <0.00%> (-0.90%) ⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@PrintlnPan PrintlnPan changed the title Upgrade github.com/go-kit/kit package Upgrade github.com/go-kit/kit package to fix CVE-2022-24450 vulnerabilities Dec 13, 2022
@PrintlnPan
Copy link
Contributor Author

@flycash This is a Critical severity level vulnerability, If your review pass, I think a new release version should be released as soon as possible (maybe v2.0.7?)

@PrintlnPan PrintlnPan changed the title Upgrade github.com/go-kit/kit package to fix CVE-2022-24450 vulnerabilities Upgrade github.com/go-kit/kit package to fix CVE-2022-24450 vulnerability Dec 13, 2022
@flycash flycash merged commit fef71f2 into beego:develop Dec 13, 2022
@flycash
Copy link
Collaborator

flycash commented Dec 13, 2022

done. And if you remember, can help to raise a new MR to upgrade the version to stable version.

@flycash
Copy link
Collaborator

flycash commented Dec 13, 2022

I mean, the kit version

@PrintlnPan
Copy link
Contributor Author

@flycash Thank you!

And if you remember, can help to raise a new MR to upgrade the version to stable version.

I tried it before, but I found someone asked the author for a similar question in go-kit/kit#843 (comment) , It seems that he/she is reluctant to release a new version but wants to let the downstream control itself

@PrintlnPan
Copy link
Contributor Author

PrintlnPan commented Dec 13, 2022

Another possibility of the author does not release a new version is go-kit/kit#1223 , but it still causes vulnerability warnings for projects that depend on beego, so I think it is still necessary to upgrade it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants